Can’t stop the tweet: the peril—and promise—of social networking for IT

To corporate IT departments, Twitter and Facebook and LinkedIn often look like …

In 2009, over 300 sensitive company documents, including financial projections and office security codes, were stolen from a Twitter employee's Google Docs account. An individual named "Hacker Croll," claiming responsibility, shared the documents with TechCrunch, which published a portion of the trove online.

More recently, there was the case of Scott McClellan, HP’s chief technologist and interim vice president of engineering and cloud services. In a May update to his publicly accessible LinkedIn profile, McClellan revealed HP's planned foray into cloud computing software and solutions—well in advance of the company's official news release.

Both were costly leaks—and, from an IT perspective, veritable nightmares. After all, corporate intranets were designed with the express purpose of keeping such sensitive information internal and under control. But the rise of social platforms in the workplace poses a new set of challenges and risks. Most popular services exist outside the realm of the traditional corporate network, in a public-facing world where actions and information cannot be so easily secured.

Put another way, Internet realities are clashing with long-held IT sensibilities, and social-engineered attacks, absent-minded leaks, and malicious links abound. But it's not all doom and gloom. Social media can bring as much good as it can bad, so long as companies understand the inherent risks.

Going public

Social media can make attacks easier by providing a simple contact channel to many people who used to be harder to find and engage with. Hacker Croll's methods were far from advanced. A feat of social engineering allowed Croll to take control of the victim's email, and from there, gain access to other associated accounts. PayPal, iTunes, Amazon, Docs—it took one break-and-enter for all the rest to fall.

Therein lies the problem: even the most private company is now surprisingly public. Internal networks still exist, but they've been joined by a myriad of online services. Companies may not handle invoices internally anymore, but rely on FreshBooks instead. E-mail servers might not be sitting in a closet down the hall, but behind a domain belonging to Google. Apps are moving beyond company walls—and in may cases, beyond the reach of IT—taking security and control with them.

Then there are the employees themselves, no longer faceless or nameless, but easily identifiable on Facebook, Twitter, Tumblr, and more. According to Palo Alto Networks' May 2011 Application Usage and Risk Report, social networking traffic from the likes of Twitter and Facebook increased nearly five-fold when compared to the previous year. And that’s not even counting the added number of employees using personal devices to access social media via non-corporate networks. Even if your IT department has yet to embrace the social Web, it’s likely that users already have.

Thus, for any given employee, there are now more accounts, profiles, and publicly accessible pages online than ever before. A quick search won’t just reveal funny links and comments, but identifiable data, too—facts and biographical information that might appear useless in isolation, but paint a bigger picture when combined.

"Our whole root of trust as an individual comes down to a set of data points about us,” said Dr. Hugh Thompson, program committee chairman for RSA Conferences and chief security strategist at New York-based consulting firm People Security. “The street you grew up on, mom's favorite dessert—these are things that would have previously been known by only close friends."

Such data, referred to by Thompson as “gateway information,” can be gathered and catalogued to aid in a socially engineered attack. Case in point: by the time Hacker Croll leaked his information, he had amassed “a rich catalog of data” on Twitter employees, according to a post by TechCrunch’s Nik Cubrilovic, who spoke with Croll following the attack. "Information like birth dates, names of pets, and other seemingly innocent pieces of data [was] also found and logged," he wrote.

This sort of information can be difficult to contain. There's simply too much of it stored in too many places. And our inclination to share this data with a seemingly close-knit community of friends can make matters even worse.

If you can tweet it, you can leak it

According to Panda Software's 2010 Social Media Risk Index (PDF) for small to medium-sized businesses, nearly a quarter of organizations surveyed lost sensitive data via online social networks. And in many cases, it’s likely the employees in question weren’t even aware they had done anything wrong.

Sites such as Facebook are based on a circle of trust between people whom we perceive to be friends. But these "friends" can also include your colleagues and perhaps even your boss. Personal and professional lives can become blurred, and it’s easy to forget that the information being shared is not always as private as we may think.

HP’s Scott McClellan no doubt believed he was making an innocuous change to his LinkedIn account. He may have very well thought its contents were private. But they weren’t, and his mistake cost HP its well-kept plans.

This type of leak—often called oversharing—is perhaps the single biggest problem with corporate social media use. In fact, in Panda Security’s survey, nearly 75 per cent of respondents considered privacy violations resulting in the loss of sensitive data their most pressing concern.

That’s not to say that all sharing incidents are absent-minded leaks. According to Thompson, it’s not common to find an employee leaking sensitive information or documents via social media online. The real concern, says Cisco Canada’s chief technology officer Jeff Seifert, is “when you start tweeting about what meetings you're at, or what customers you're meeting with”—without considering with whom that information is being shared.

But social media can also be a vector for more direct attacks. In the same Panda Security survey mentioned above, nearly 70 per cent of respondents feared the threat of malware or virus infection. In a separate question, one-third claimed to have actually suffered malware infections distributed via social networks.

The trick for a would-be attacker is to infiltrate a user’s circle of trust, posing as a legitimate friend or member. Within the perceived privacy of a social media network, an employee is likely to be much less discerning about what they click on—and from whom.

"With e-mail, we've learned to never click on anything,” said Rene Bonvanie, vice president of worldwide marketing for Palo Alto Networks, in an interview with IT site InfoWorld earlier this summer. “But inside social media, people click on every tiny URL because they trust the sender. That's why botnets we successfully rebuffed five years ago are now coming back via social media."

The traditional signals we associate with phishing attempts and malicious attacks are becoming increasingly difficult to recognize. “We’re seeing attacks that are asking mundane stuff—things that people in the company might normally ask,” said Thompson. “And it’s tough to identify a sign of danger within that semi-normal request.”